Re: less: fix use after free bug

2021-12-31 Thread Philip Guenther
On Fri, Dec 31, 2021 at 6:22 AM Tobias Stoeckmann wrote: > Hi, > > it is possible to trigger a use after free bug in less with huge > files or tight memory constraints. PoC with 100 MB file: > > dd if=/dev/zero bs=1024 count=102400 | tr '\0' 'a' > less-poc.txt > ulimit -d 157286 > less less-poc.t

Re: Fix GNUism in bsd.dep.mk

2021-12-31 Thread Philip Guenther
On Fri, Dec 31, 2021 at 7:44 AM Christian Ehrhardt wrote: > Here at genua, trying to build libpcap sometimes breaks in > libpcap with the following error message: > > | Using $< in a non-suffix rule context is a GNUmake idiom \ > |(/data/git/ehrhardt/genuos/os/mk/bsd.dep.mk:47) > > The bug is

Re: unlock mmap(2) for anonymous mappings

2021-12-31 Thread Vitaliy Makkoveev
The uvm_wxabort path within uvm_wxcheck() looks not MP-safe. > On 31 Dec 2021, at 12:14, Klemens Nanni wrote: > > Now that mpi has unlocked uvm's fault handler, we can unlock the mmap > syscall to handle MAP_ANON without the big lock. > > sys_mmap() still protects the !MAP_ANON case, i.e. file

Re: unlock mmap(2) for anonymous mappings

2021-12-31 Thread Theo de Raadt
>Now that mpi has unlocked uvm's fault handler, we can unlock the mmap >syscall to handle MAP_ANON without the big lock. ... >So here's a first small step. I've been running with this for months >on a few amd64, arm64 and sparc64 boxes without problems So, 3 architectures have been tested. I rea

Fix GNUism in bsd.dep.mk

2021-12-31 Thread Christian Ehrhardt
Hi, Here at genua, trying to build libpcap sometimes breaks in libpcap with the following error message: | Using $< in a non-suffix rule context is a GNUmake idiom \ |(/data/git/ehrhardt/genuos/os/mk/bsd.dep.mk:47) The bug is in bsd.dep.mk where ${.IMPSRC} (aka $<) is used in a c

less: fix use after free bug

2021-12-31 Thread Tobias Stoeckmann
Hi, it is possible to trigger a use after free bug in less with huge files or tight memory constraints. PoC with 100 MB file: dd if=/dev/zero bs=1024 count=102400 | tr '\0' 'a' > less-poc.txt ulimit -d 157286 less less-poc.txt The linebuf and attr buffers in line.c are supposed to never be freed

unlock mmap(2) for anonymous mappings

2021-12-31 Thread Klemens Nanni
Now that mpi has unlocked uvm's fault handler, we can unlock the mmap syscall to handle MAP_ANON without the big lock. sys_mmap() still protects the !MAP_ANON case, i.e. file based mappings, with the KERNEL_LOCK() itself, which is why unlocking the syscall will only change locking behaviour for an